Filed under: Odds and ends, Internet
Browser security: "The main thing is not to install Flash!"
You may have noticed that I'm not a huge fan of Flash. My feelings pre-date the iPhone/iPad debate about whether or not Flash should be included on those devices. Even back when I was using Windows and Opera, one of the features I used most often was "Disable Plugins" -- which was really another way of saying "Disable Flash," and I do that these days in Safari using ClickToFlash.Flash lovers usually talk about how many games are only available using Flash. Flash haters usually talk about performance issues, especially on the Mac. Adobe tries to make the argument that not including Flash is bad for users' freedom of choice.
When it comes to browser security, Charlie Miller says that it's all about Flash. More specifically, avoiding Flash.
Miller, who has won the Pwn2Own contest two years running, was interviewed by Italian site OneITSecurity. They asked him what browser and OS he thought was the safest. The first part of his reply probably won't make Mac users happy: he suggests Windows 7 with either Chrome or IE8 saying "there probably isn't enough difference between the browsers to get worked up about." But the highlight for me was the next quote: "The main thing is not to install Flash!"
The guy who seems to be the best in the world at breaking into your web browser tells you that you shouldn't install Flash. Perhaps you should consider installing ClickToFlash; it's completely free, and tells Flash to load only when you tell it to load. That should make your browsing significantly safer on any platform.
Hat tip to Jay Hathaway at DownloadSquad for bringing this to our attention.
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 3)
Level 5 said 12:53PM on 3-02-2010
+1 For Flashblock or ClickToFlash. Flash isn't a bad technology, but it's poorly supported and very much abused by authors.
Reply
brchk05 said 12:53PM on 3-02-2010
That being said, Miller is known to be mostly a Mac user.
Reply
NateF said 1:44PM on 3-02-2010
Are you pulling the fanboy card on Miller? Really?
MacSecFan said 2:38PM on 3-02-2010
NateF: I'm not even sure what that means. All I said is that he uses a Mac.
Charli said 3:43PM on 3-02-2010
yeah and given what he does, he understands why Jobs and Co aren't supporting Flash in the iphone OS and are encouraging HTML5 everywhere.
MacSecFan said 5:34PM on 3-02-2010
But, doesn't everyone understand that? I think my original comment has been misconstrued. All I meant to point out is that security is obviously important, but despite that, Miller apparently finds virtue in the Mac platform despite it not always being the most secure (in his opinion). That is to say, he wasn't simply making a biased dig at Macs like some might suppose.
balls said 12:56PM on 3-02-2010
Funny that you pretty much dismiss his assertion to run Windows7, and focus solely on "Don't Install Flash."
Firefox users outta try NoScript, which prevents Javascript and Flash from loading unless I want it to. It cuts out the ad's from sites like TUAW, and protects against malcious jscript and flash content.
Reply
Joshua Ochs said 1:27PM on 3-02-2010
Then again, most of the things he likes about Windows 7 and IE8/Chrome - address randomization, process separation between the browser and plugins, etc - is part of 64-bit Snow Leopard and Safari 4/Chrome. (You don't get plugin process separation from Safari 4 when in 32-bit mode.)
I'd be quite interested to hear a more detailed take from him on these improvements vs Windows 7. It would certainly be an impartial take on the relative security of the two systems, and we could sure use such a perspective.
whatballs? said 1:56PM on 3-02-2010
"outta"? 'Out of'? He means 'ought to'.
jameschurchman said 2:30PM on 3-02-2010
also does ClickToFlash actually improve the security of flash??
i assume that that's only an "assumption"
and possibly a wrong one as the default is "automatically load Invisible Flash" that loads any flash file less than 1px by 1 px
Surely if someone is trying to embed a dodgy flash file to exploit your browser they will make it tiny, or "invisible" ?
(so i would also recommend disabling the default "automatically load Invisible Flash" in ClickToFlash)
Izzy said 4:09PM on 3-02-2010
Because it's a Mac blog.
Dan said 4:30PM on 3-02-2010
@Joshua:
Miller did discuss ASLR and security in 10.6:
http://news.techworld.com/security/3201863/snow-leopard-less-secure-than-windows-says-hacker/
He calls Apple's ASLR "half-baked".
chintu74guns said 8:15PM on 3-02-2010
Huh, I agree, it is easy to say "don't install flash" but if you don;t install flash you are cutting yourself off from virtually half the web. I would rather prefer to live without Windows. BTW, I use the flashblock addon for Firefox and it works pretty good for me. :)
Chimpu Sharma
http://ezyresell.com
igepard said 12:59PM on 3-02-2010
I have been using ClickToFlash for awhile and love it. It would be even better if we didn't have Flash at all. The most of the Flash content is advertisement, games and only the small part is used for websites design which can be achieved by other methods.
Reply
Dale said 1:00PM on 3-02-2010
Flash is not just a pain in the arse on Mac. It regularly grinds my work PC to a halt - it's a not-entirely-dated Core 2 Duo E6300 running at 1.86GHz and I have 3.5GB of RAM, but it shuts me the hell down.
I'm sure they can do a lot to optimise Flash for portable devices, but if they're not even bothering for desktop computers - where they already have near 100% ubiquity - why are Flash proponents suddenly sure they will do so for our phones?
Reply
pax copia said 1:05PM on 3-02-2010
Even with ClickToFlash and Flashblock, people need to seriously frequent the plugins crazy proprietary settings panels so that they can at least try to manage and remove the flash junk that seeps like sewage from all the flash trash
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html
Note: you can't do it once and forget about it, you need to visit it often as it tends to deviously reset itself
Reply
pax copia said 1:10PM on 3-02-2010
Be sure to uncheck both "Allow third-party Flash content to store data on your computer" and "Store common Flash components to reduce download times" and be sure to "Always deny" flash from having access to your system. And be sure to clear it all out.
pax copia said 1:14PM on 3-02-2010
One more thing, make sure you manually visit Adobe's site to make certain you have the latest build of their plug-in as the plug-in itself rarely properly alerts users of the latest updates and in fact often gets it wrong. It's almost as if it often wants people to browse around for awhile without the latest patches and fixes.
wosuh said 1:19PM on 3-02-2010
you are officially a hater.
what's so bad about having more options, competitions between these monster corporations, except that it might hurt Apple's business?
and what is your suggestion for rich media contents? HTML5 cannot do everything, not even close, what Flash can do.
Reply
pax copia said 1:33PM on 3-02-2010
There are a lot of options that could be pursued in place of Flash such as Java, which by the way is opensource and can in fact do a lot more than what Flash can or could ever do.
By the way, why play flash plug-in favoritism? Shouldn't you stretch out a bit and campaign for all the other plug-ins, players and readers that exist and have existed in the world? I mean if you believe Apple should be required to prop up Flash (even with how flawed it is) then why don't you think they should do the same for all the rest?